Merge branch 'main' into gha-hardening-pull-request-target

Author: wrslatz

content/actions/concepts/runners/support-for-arc.md

@@ -49,4 +49,4 @@ For more information about contacting {% data variables.contact.github_support %
 
 ## Working with {% data variables.contact.github_support %} for Actions Runner Controller
 
-{% data variables.contact.github_support %} may ask questions about your Actions Runner Controller deployment and request that you collect and attach the [controller, listener](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#checking-the-logs-of-the-controller-and-runner-set-listener), and runner logs to the support ticket.
+{% data variables.contact.github_support %} may ask questions about your Actions Runner Controller deployment and request that you collect and attach [controller logs, listener logs](/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/troubleshooting-actions-runner-controller-errors#checking-the-logs-of-the-controller-and-runner-set-listener), runner logs, and Helm charts (`values.yaml`) to the support ticket.

content/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets.md

@@ -167,7 +167,8 @@ You can check which access policies are being applied to a secret in your organi
 > [!NOTE]
 > * {% data reusables.actions.forked-secrets %}
 > * Secrets are not automatically passed to reusable workflows. For more information, see [AUTOTITLE](/actions/using-workflows/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow).
-> {% data reusables.actions.about-oidc-short-overview %}
+> * Secrets are not available to workflows triggered by {% data variables.product.prodname_dependabot %} events. For more information, see [AUTOTITLE](/code-security/dependabot/troubleshooting-dependabot/troubleshooting-dependabot-on-github-actions#accessing-secrets).
+> * {% data reusables.actions.about-oidc-short-overview %}
 
 > [!WARNING] Mask all sensitive information that is not a {% data variables.product.prodname_dotcom %} secret by using `::add-mask::VALUE`. This causes the value to be treated as a secret and redacted from logs.
 

content/actions/tutorials/use-containerized-services/create-redis-service-containers.md

@@ -35,7 +35,7 @@ This guide shows you workflow examples that configure a service container using
 You may also find it helpful to have a basic understanding of YAML, the syntax for {% data variables.product.prodname_actions %}, and Redis. For more information, see:
 
 * [AUTOTITLE](/actions/learn-github-actions)
-* [Getting Started with Redis](https://redislabs.com/get-started-with-redis/) in the Redis documentation
+* [Getting Started with Redis](https://redis.io/learn/howtos/quick-start) in the Redis documentation
 
 ## Running jobs in containers
 

content/admin/managing-iam/configuring-authentication-for-enterprise-managed-users/configuring-saml-single-sign-on-for-enterprise-managed-users.md

@@ -108,11 +108,14 @@ After the initial configuration of SAML SSO, the only setting you can update on
 {% data reusables.enterprise-accounts.identity-provider-tab %}
 {% data reusables.enterprise-accounts.sso-configuration %}
 
-1. Under "SAML single sign-on", select **Add SAML configuration**.
+1. Under "SAML single sign-on," select **Add SAML configuration**.
 1. Under **Sign on URL**, type the HTTPS endpoint of your IdP for SSO requests that you noted while configuring your IdP.
 1. Under **Issuer**, type your SAML issuer URL that you noted while configuring your IdP, to verify the authenticity of sent messages.
 1. Under **Public Certificate**, paste the certificate that you noted while configuring your IdP, to verify SAML responses.
-1. Under **Public Certificate**, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+1. Under the same **Public Certificate** section, select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer.
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration**. {% data reusables.saml.test-must-succeed %}
 1. Click **Save SAML settings**.
 

content/admin/managing-iam/using-saml-for-enterprise-iam/configuring-saml-single-sign-on-for-your-enterprise.md

@@ -92,6 +92,7 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.security-tab %}
+
 1. {% data reusables.enterprise-accounts.view-current-policy-config-orgs %}
 1. Under "SAML single sign-on", select **Require SAML authentication**.
 1. In the **Sign on URL** field, type the HTTPS endpoint of your IdP for single sign-on requests. This value is available in your IdP configuration.
@@ -101,6 +102,7 @@ For more detailed information about how to enable SAML using Okta, see [AUTOTITL
    To find the certificate, refer to the documentation for your IdP. Some IdPs call this an X.509 certificate.
 
 {% data reusables.saml.edit-signature-and-digest-methods %}
+
 1. Before enabling SAML SSO for your enterprise, to ensure that the information you've entered is correct, click **Test SAML configuration** . {% data reusables.saml.test-must-succeed %}
 1. Click **Save**.
 {% data reusables.enterprise-accounts.download-recovery-codes %}
@@ -117,6 +119,7 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 {% data reusables.enterprise_site_admin_settings.access-settings %}
 {% data reusables.enterprise_site_admin_settings.management-console %}
 {% data reusables.enterprise_management_console.authentication %}
+
 1. Under "Authentication", select **SAML**.
 1. {% data reusables.enterprise_user_management.built-in-authentication-option %}
 1. Optionally, to enable unsolicited response SSO, select **IdP initiated SSO**. By default, {% data variables.product.prodname_ghe_server %} will reply to an unsolicited Identity Provider (IdP) initiated request with an `AuthnRequest` back to the IdP.
@@ -129,18 +132,23 @@ You can enable or disable SAML authentication for {% data variables.location.pro
 
    You must ensure that your IdP supports encrypted assertions and that the encryption and key transport methods in the management console match the values configured on your IdP. You must also provide {% data variables.location.product_location %}'s public certificate to your IdP. For more information, see [AUTOTITLE](/admin/identity-and-access-management/using-saml-for-enterprise-iam/enabling-encrypted-assertions).
 
-1. Under "Single sign-on URL," type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.location.product_location %} to use internal nameservers](/admin/configuration/configuring-network-settings/configuring-dns-nameservers).
+1. In the **Single sign-on URL** field, type the HTTP or HTTPS endpoint on your IdP for single sign-on requests. This value is provided by your IdP configuration. If the host is only available from your internal network, you may need to [configure {% data variables.location.product_location %} to use internal nameservers](/admin/configuration/configuring-network-settings/configuring-dns-nameservers).
 1. Optionally, in the **Issuer** field, type your SAML issuer's name. This verifies the authenticity of messages sent to {% data variables.location.product_location %}.
 1. Select the **Signature Method** and **Digest Method** dropdown menus, then click the hashing algorithm used by your SAML issuer to verify the integrity of the requests from {% data variables.location.product_location %}.
 1. Select the **Name Identifier Format** dropdown menu, then click a format.
-1. Under "Verification certificate," click **Choose File**, then choose a certificate to validate SAML responses from the IdP.
+1. Under "Verification certificate", click **Choose File**, then choose a certificate to validate SAML responses from the IdP.
+
+   > [!NOTE]
+   > {% data variables.product.github %} does not enforce the expiration of this SAML IdP certificate. This means that even if this certificate expires, your SAML authentication will continue to work. However, if your IdP administrator regenerates the SAML certificate, and you don't update it on the {% data variables.product.github %} side, users will encounter a `digest mismatch` error during SAML authentication attempts due to the certificate mismatch. See [Error: Digest mismatch](/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication#error-digest-mismatch).
+
 1. Under "User attributes", modify the SAML attribute names to match your IdP if needed, or accept the default names.
 
 {% endif %}
 
 ## Further reading
 
 {%- ifversion ghec %}
+
 * [AUTOTITLE](/organizations/managing-saml-single-sign-on-for-your-organization)
 {%- endif %}
 {%- ifversion ghes %}

content/admin/managing-iam/using-saml-for-enterprise-iam/troubleshooting-saml-authentication.md

@@ -31,22 +31,24 @@ For more information about SAML response requirements, see [AUTOTITLE](/admin/id
 You can configure {% data variables.product.prodname_ghe_server %} to write verbose debug logs for every SAML authentication attempt. You may be able to troubleshoot failed authentication attempts with this extra output.
 
 > [!WARNING]
+>
 > * Only enable SAML debugging temporarily, and disable debugging immediately after you finish troubleshooting. If you leave debugging enabled, the size of the logs increases much faster than usual, which can negatively impact the performance of {% data variables.product.prodname_ghe_server %}.
 > * Test new authentication settings for {% data variables.location.product_location %} in a staging environment before you apply the settings in your production environment. For more information, see [AUTOTITLE](/admin/installation/setting-up-a-github-enterprise-server-instance/setting-up-a-staging-instance).
 
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.policies-tab %}
 {% data reusables.enterprise-accounts.options-tab %}
+
 1. Under "SAML debugging", select the drop-down and click **Enabled**.
-1. Attempt to sign into {% data variables.location.product_location %} through your SAML IdP.
-1. Review the debug output in the systemd journal for `github-unicorn`on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs#system-logs-in-the-systemd-journal-for-github-enterprise-server).
+1. Attempt to sign in to {% data variables.location.product_location %} through your SAML IdP.
+1. Review the debug output in the `systemd` journal for `github-unicorn` on {% data variables.location.product_location %}. For more information, see [AUTOTITLE](/admin/monitoring-and-managing-your-instance/monitoring-your-instance/about-system-logs#system-logs-in-the-systemd-journal-for-github-enterprise-server).
 1. When you're done troubleshooting, select the drop-down and click **Disabled**.
 
 ## Decoding responses
 
-Some output in the systemd journal for `github-unicorn` may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.location.product_location %} to decode these responses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh).
+Some output in the `systemd` journal for `github-unicorn` may be Base64-encoded. You can access the administrative shell and use the `base64` utility on {% data variables.location.product_location %} to decode these responses. For more information, see [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-administrative-shell-ssh).
 
-To decode the output, run the following command, replacing ENCODED_OUTPUT with the encoded output from the log.
+To decode the output, run the following command, replacing `ENCODED_OUTPUT` with the encoded output from the log.
 
 ```shell
 base64 --decode ENCODED_OUTPUT
@@ -110,3 +112,11 @@ This error can occur in version 3.17.0 or later of {% data variables.location.pr
 {% ifversion ghec %}
 {% data reusables.saml.authentication-loop %}
 {% endif %}
+
+## Error: Digest mismatch
+
+A "Digest mismatch" error indicates that your SAML IdP is using a different SAML signing certificate than the one you have uploaded to {% data variables.product.github %}{% ifversion ghes %} or that the **Signature Method** or **Digest Method** configured on {% data variables.product.github %} differs from what your IdP is using{% endif %}.
+
+{% ifversion ghes %}Re-download this SAML certificate from your IdP and validate it using an online tool, such as the [Format a x509 cert](https://www.samltool.com/format_x509cert.php) tool from OneLogin. Then upload the SAML certificate again in the "Authentication" section in your {% data variables.product.prodname_ghe_server %} management console. See [AUTOTITLE](/admin/configuration/configuring-your-enterprise/accessing-the-management-console#accessing-the-management-console-as-an-unauthenticated-user).{% endif %}
+
+{% ifversion ghec %}Re-download this SAML certificate from your IdP and validate it using a tool such as the [Format a x509 cert](https://www.samltool.com/format_x509cert.php) tool from OneLogin. Then update the certificate saved in the {% data variables.product.github %} SAML settings.{% endif %}

content/billing/concepts/azure-subscriptions.md

@@ -0,0 +1,50 @@
+---
+title: Azure subscription payments
+intro: 'Learn about paying for metered usage of {% data variables.product.github %} plans, licenses, and usage with an Azure subscription.'
+shortTitle: Azure subscriptions
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '*'
+topics:
+  - Billing
+  - Enterprise
+  - Team
+  - Azure subscription
+contentType: concepts
+product: 'Organization and enterprise accounts can pay for any metered use of {% data variables.product.github %} using an Azure subscription. This option is not available for personal accounts.'
+---
+
+## Payment using an Azure subscription
+
+You can pay for {% data variables.product.github %} use through an Azure subscription by connecting the subscription to {% data variables.product.github %}. See [AUTOTITLE](/billing/how-tos/set-up-payment/connect-azure-sub).
+
+{% data variables.product.github %} installs a Subscription Permission Validation app (SPV app) on the Azure tenant, which it uses to get a list of available subscriptions from active directory. Installing the SPV app requires tenant-wide admin consent. You must sign into an Azure account that can provide tenant-wide admin consent, or work with an Azure administrator to configure the admin consent workflow.
+
+* [Grant tenant-wide admin consent to an application](https://learn.microsoft.com/azure/active-directory/manage-apps/grant-admin-consent) in Microsoft Docs
+* [User and admin consent in Azure Active Directory](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent-workflow) in Microsoft Docs.
+
+>[!TIP] If your tenant provides user consent settings, users included in those settings might not require admin consent to install the {% data variables.product.company_short %} SPV app. See [User consent](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/user-admin-consent-overview#user-consent) in Microsoft Docs.
+
+## Billing cycle for Azure
+
+If you link your {% data variables.product.github %} account to Azure, any usage-based costs starting from that point will be billed through Azure and charged on the 1st of each month. However, any remaining {% data variables.product.github %} charges, for example, charges for your {% data variables.product.prodname_dotcom %} plan, will still be billed on your usual billing date.
+
+Prepaid usage is not currently available for usage-based billing through Azure.
+
+### Calculation example
+
+You link your Azure subscription to your organization or enterprise account on **June 16th** and you also have a {% data variables.copilot.copilot_for_business %} subscription.
+
+* From that June 16th onwards, any usage costs for {% data variables.copilot.copilot_business_short %}, with any costs for metered use over the included amounts, is included in your Azure bill and charged on **July 1st** and on the first of every month.
+* Any charges incurred before June 16th are billed separately through {% data variables.product.github %} on your account's usual billing date.
+
+## Use of {% data variables.product.prodname_ghe_cloud %} through a Microsoft Enterprise Agreement
+
+If you use {% data variables.product.prodname_ghe_cloud %} through a Microsoft Enterprise Agreement, connecting an Azure subscription is the only way to use {% data variables.product.prodname_GHAS %}, {% data variables.product.prodname_github_codespaces %}, or {% data variables.product.prodname_copilot %}, or to use {% data variables.product.prodname_actions %}, Git Large File Storage (LFS), or {% data variables.product.prodname_registry %} beyond your plan's included amounts.
+
+## Next steps
+
+For instructions on connecting your Azure subscription, see [AUTOTITLE](/billing/how-tos/set-up-payment/connect-azure-sub).
+
+For reference information, see [AUTOTITLE](/billing/reference/azure-subscription).

content/billing/concepts/index.md

@@ -11,11 +11,11 @@ topics:
 children:
   - /billing-cycles
   - /license-consumption
+  - /azure-subscriptions
   - /impact-of-plan-changes
   - /discounted-plans
   - /enterprise-billing
   - /product-billing
   - /third-party-payments
 contentType: concepts
 ---
-

content/billing/how-tos/pay-third-parties/cancel-marketplace-app.md

@@ -25,9 +25,7 @@ contentType: how-tos
 
 {% ifversion fpt %}{% data reusables.marketplace.marketplace-app-page %}{% endif %}
 
-When you cancel an app, your subscription remains active until the end of your current billing cycle. The cancellation takes effect on your next billing date. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-marketplace-apps/about-billing-for-github-marketplace).
-
-When you cancel a free trial on a paid plan, your subscription is immediately canceled and you will lose access to the app. If you don't cancel your free trial within the trial period, the payment method on file for your account will be charged for the plan you chose at the end of the trial period. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-marketplace-apps/about-billing-for-github-marketplace).
+**When you cancel a paid app, your access and subscription will end on your next billing date. If you cancel during a free trial, you will lose access immediately**. For more information, see [AUTOTITLE](/billing/managing-billing-for-github-marketplace-apps/about-billing-for-github-marketplace).
 
 {% data reusables.marketplace.downgrade-marketplace-only %}